[Bug 8411] New: Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory

bugzilla at busybox.net bugzilla at busybox.net
Tue Oct 20 00:29:12 UTC 2015


https://bugs.busybox.net/show_bug.cgi?id=8411

           Summary: Directory traversal via crafted tar file which
                    contains a symlink pointing outside of the current
                    directory
           Product: Busybox
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
        AssignedTo: unassigned at busybox.net
        ReportedBy: tyhicks at canonical.com
                CC: busybox-cvs at busybox.net
   Estimated Hours: 0.0


It was discovered that busybox's tar implementation will extract a symlink that
points outside of the current working directory and follow that symlink when
extracting other files. This allows for a directory traversal attack when
extracting untrusted tarballs.

This behavior is documented in the source code:

  http://git.busybox.net/busybox/tree/archival/tar.c#n25

I took a quick look at how GNU tar handles such situations. If the symlink
target is absolute or contains a ".." component, they create a regular file as
a placeholder. After all other files have been extracted, the placeholder files
are replaced with the originally intended symlinks.

(That is also how they handle hardlink extraction but I don't see any support
for LNKTYPE files in busybox tar.)

-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the busybox-cvs mailing list